You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It was found that Mozilla VPN in desktop environments sets up an HTTP server listening
on a port acting as the OAuth callback expecting an Authorization Code to complete the
Authentication of Mozilla VPN. This means there is a risk of attackers spamming
requests to the local server via JavaScript, potentially disturbing the login process of the
apps. This is possible as the local HTTP server is not protected by an additional secret
and cannot distinguish between legitimate requests from malicious ones.
It is recommended to protect the Authenticationlistener by a dynamically generated
authentication token. The server should only be closed once authentication is either
successfully completed or canceled by the user. By doing so, attackers cannot deny
authentication by spamming and closing the listener prematurely. This should be
feasible to implement as the Mozilla VPN already passes the local listener port to the
HTTP login URL.
It was found that Mozilla VPN in desktop environments sets up an HTTP server listening
on a port acting as the OAuth callback expecting an Authorization Code to complete the
Authentication of Mozilla VPN. This means there is a risk of attackers spamming
requests to the local server via JavaScript, potentially disturbing the login process of the
apps. This is possible as the local HTTP server is not protected by an additional secret
and cannot distinguish between legitimate requests from malicious ones.
Affected File:
src/tasks/authenticate/desktopauthenticationlistener.cpp
Affected Code:
It is recommended to protect the Authenticationlistener by a dynamically generated
authentication token. The server should only be closed once authentication is either
successfully completed or canceled by the user. By doing so, attackers cannot deny
authentication by spamming and closing the listener prematurely. This should be
feasible to implement as the Mozilla VPN already passes the local listener port to the
HTTP login URL.
┆Issue is synchronized with this Jira Task
The text was updated successfully, but these errors were encountered: